Category Archives: Enterprise Risk Management

It Takes a Team

Originally Published in Biz Magazine, June 2016

Boards of Directors have a job to do. This means that every Board needs to consider what makes for a competent Board. Just as a baseball team comprised of nine pitchers won’t win many games,, A Board comprised of individuals from the same discipline or industry will not be effective. Boards need the right combination of talent to fulfill their responsibilities.

The basis for determining the talent needed to form the Board of Directors comes from two elements: the nature of the organization being governed; and the job responsibilities of the Board of Directors. Using the Board’s terms of reference and the mandate and strategy of the organization we can articulate the competencies needed to fulfill the job. This is the same exercise we go through for employees. An employee has responsibilities and in order to carry out those responsibilities there is an expectation of what makes a person competent for the position. The same is true for Directors.

Booker & Associates has developed a diagnostic process through which we can determine if a Board is comprised of the necessary talent. The Board’s ability is reflected by the composition of the individuals around the table. The first step in the process is to identify the desired skills, knowledge and experience based on the needs of the organization and the stakeholders. Each organization has different needs in the talent of the Board. A financial institution may demand strong financial and risk literacy. A social services organization may demand strong community knowledge.

The next step is to have each Director complete a diagnostic tool which has five dimensions to the assessment: knowledge and capability; attributes; diversity; experience; and education.

The first dimension requires each Director to evaluate their knowledge and capabilities in relation to specific talents required for the governance of the organization. A common evaluation scale we use is: expert, proficient, introductory. Expert means a Director has deep training or experience in the subject and is able to explain the concepts and applications to others. Proficient means they have some training or experience in the subject and can work through material themselves but are not able to help others in understanding the concepts. Introductory means that they have had exposure to the subject but don’t have a clear understanding of the application or concepts and need others to provide explanation.

The next dimension gathers information on a Director’s attributes. Attributes cover aspects such as capacity to serve; independence from management; ability to communicate effectively and respectfully; personal reputation; open mindedness; willingness to listen to others; respectful of diverse perspectives; and willingness to be part of a team.

The dimension of diversity covers demographics (like gender and age), background, and thinking style. Having different thinking styles adds to the dynamic discussion around the table – Boards need Directors who think strategically, those who have a respect for compliance; those who like broad perspective and at times deep discussions; and those who are methodical, quick, reflective, and analytical. Diversity on the Board will allow for thorough discussion, multiple perspectives, new ideas, and taking action.

The fourth and fifth dimensions of education and experience are pulled from the Directors’ resumes. Education covers the curriculum of education, designations and trades which a Director has completed. Experience covers the positions held during their working career, the industries which the individual has worked in, the positions held, as well as experience on other Boards of Directors, and length of time in the sector which the organization operates.

The extract below illustrates a part of the diagnostic tool. It shows the ideal rating which has been determined as required by the organization for specific subject matter, and the next two columns show the individual ratings provided by two Directors. It is not necessary that all Directors meet the ideal rating.

Insert Name of Director: Ideal Rating Director 1 Director 2
KNOWLEDGE gained through education and/or experience
Regulatory Framework 2 1 1
Economics 2 1 2
Executive Talent Management 2 1 3
Risk Literacy 2 1 2
Financial Literacy 2 1 3
Strategic Guidance 3 2 3
Retail Sector 2 2 3
Technology as business channel 2 2 2
Aboriginal Community 3 2 2
Local Community 3 2 3
Other (specify):     Rules of Order
3 = expert; 2 = proficient; 1 = introductory

The talent diagnostic process can be used for a variety of purposes. It can be used to inform the Director recruitment process, determine the orientation process for new Directors, and assist in designing the ongoing education program for Directors.

Risk Governance, Governance Risk

Originally Published in Biz Magazine, September 2015

A key area of responsibility for all Boards of Directors is risk governance. Risk governance focuses on recognizing the risks inherent to the business of the organization and instilling processes to provide for protection of people, assets, and reputation. Governance risk recognizes that the ability or ineffectiveness of a Board can actually add to an organization’s risk profile rather than providing a deductive factor to the risk profile.

We have seen headlines where risk was allowed to consume the organization and lead to drastic consequences. Costa Concordia sailing an unsafe route which the Captain claims was condoned by superiors. General Motors and faulty ignition switches which staff claim was known within the company but action taken to deal with the risk was not adequate. Montreal, Maine & Atlantic and unsafe transport of dangerous goods; XL Foods and tainted beef; Mattel Toys and lead paint. If the Boards were exercising their risk governance responsibility the unfortunate outcomes of these events could have been prevented.

Enterprise risk management (ERM) is a methodology that has been in place for years. Identify the risk, assess the risk, take action to mitigate the risk, and monitor the behaviour of the risk and effectiveness of the risk response. The illustration shows the phases of an effective risk management approach. As an organization moves through the phases in the risk process, the risk intelligence of the organization builds.

Creating a Risk Intelligent Organization


Risk is an inevitable and acceptable part of all businesses. Not managing the level of risk is not acceptable. The ERM process requires an explicit identification of the risks inherent to the business given the products and services offered and the means by which they are delivered. For example, companies which transact over the internet and which store confidential personal information will identify a cyberattack as a high risk. The Board needs to gain assurance that the inherent risks have been thoroughly identified and evaluated in terms of the severity that each presents to the business. More importantly, the Board needs to gain assurance that appropriate measures are being taken to mitigate the risk to an acceptable level. A level that if the risk does still occur, the situation can be dealt with in a calm and reasonable manner. This is not crisis management. It is making sure you don’t have to activate that crisis management plan. It is the essence of operating in a sound and secure manner to achieve the strategic and business objectives of the organization.

Before establishing a risk framework and undertaking the process to identify the risk profile, the following elements must be in place to permit effective risk management.

  1. Support at senior levels: Concern for risk management must start and be supported at the highest level within the company. This includes the governance level and the CEO.
  2. Risk management efforts must be dynamic: This includes active identification, measurement and management of the risks, scanning for changes in the risk profile, and reporting on the risk profile.
  3. Clarity of understanding: There needs to be a clear definition of the risks and these must be understood across the organization.
  4. Accountability: Responsibility for responding to and managing the risks must be clearly understood and individuals held accountable for fulfilling the roles. Everyone is a risk owner.
  5. Resources: Appropriate resources including people and tools need to be deployed and available to help staff, managers, executive, and the Board fulfill their duties within the ERM framework.
  6. Culture: The organization’s culture must support the active managing of risk in terms of attitude.

Risk governance is one thing; the Board also needs to take action to not create governance risk. Does the Board have the capability to oversee the risk profile of the organization? Has it set an appropriate risk appetite? Does it receive fulsome information to monitor the risk profile on a dynamic basis? Does the Board fit within the framework for a risk intelligent organization? To test your risk literacy capability, I invite you to take the self-assessment here.

Fay Booker is the president of Booker & Associates, a consulting firm focused on promoting excellence in corporate governance, risk management and operational effectiveness.

Risk Appetite and Risk Tolerance

No doubt you’ve heard the terms Risk Appetite and Risk Tolerance in discussions about Enterprise Risk Management (ERM) implementation. But do you know the subtle difference between the two? I’ve heard Boards of Directors say ‘risk tolerance’ when they really mean ‘risk appetite’. Let’s clear up some of the confusion.

Risk appetite is a statement regarding the degree of risk which an organization is willing to take or accept in pursuit of its objectives. The risk appetite sets the boundary for risk taking and the tone for taking risk.

Here is an example of the formulation of a risk appetite statement (select the appropriate word):

Given [stability, volatility, uncertainty] in the business environment, [stability, amount of change, anticipated change] in internal operations of the organization, [satisfactory, adequate, unsatisfactory] earnings of the organization over past three years, anticipated [satisfactory, challenging] near term future earnings of the organization, and [surplus, adequate, minimal] capital position, the risk appetite of the organization is [low/modest, moderate, high/assertive].

You must also define what is meant by the levels low/modest; moderate; high/assertive. So that everyone is working within the same parameters.

Risk tolerance is the level of risk that a company is willing to accept in various risk areas. Generally the tolerance can be measured in terms of quantitative and qualitative dimensions. There can be a stated tolerance for the organization as a whole and tolerances by areas within the organization.

Here is an example of a risk tolerance statement:

The Board directs that there be a cost/benefit analysis for the approach to individual and collective risks and directs that residual risk levels that remain not represent a tolerance in excess of 1% of total annual expenses, not jeopardize the health and safety of staff and customers, and not unduly impair the reputation of the company, and that in the event that risk responses are absent or fail, the occurrence of the risk will not cause instability to the company’s daily operations.

Both risk appetite and risk tolerance should be clearly defined and stated in the organization’s Enterprise Risk Management framework. After all the framework relies on these two things to outline what is acceptable and informs strategic and operational decisions.